2022-09-05 03:06:08 -04:00
|
|
|
/*
|
|
|
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
|
|
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
|
*/
|
|
|
|
|
|
2022-06-29 10:13:01 -04:00
|
|
|
package watcher
|
2022-05-23 05:36:54 -04:00
|
|
|
|
|
|
|
|
import (
|
2023-03-29 03:06:10 -04:00
|
|
|
"context"
|
2023-09-29 08:29:50 -04:00
|
|
|
"crypto/x509"
|
2022-05-23 05:36:54 -04:00
|
|
|
"encoding/asn1"
|
|
|
|
|
"fmt"
|
2022-06-15 10:00:48 -04:00
|
|
|
"path/filepath"
|
2022-05-23 05:36:54 -04:00
|
|
|
"sync"
|
|
|
|
|
|
2022-09-21 07:47:57 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/atls"
|
2023-03-14 06:46:27 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
|
2023-06-09 09:41:02 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
2023-04-06 11:00:56 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/config"
|
2022-09-21 07:47:57 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/constants"
|
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/file"
|
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/logger"
|
2022-05-23 05:36:54 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Updatable implements an updatable atls.Validator.
|
|
|
|
|
type Updatable struct {
|
2023-03-14 06:46:27 -04:00
|
|
|
log *logger.Logger
|
|
|
|
|
mux sync.Mutex
|
|
|
|
|
fileHandler file.Handler
|
2023-03-29 03:30:13 -04:00
|
|
|
variant variant.Variant
|
2023-09-29 08:29:50 -04:00
|
|
|
cachedCerts cachedCerts
|
2022-05-23 05:36:54 -04:00
|
|
|
atls.Validator
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-29 08:29:50 -04:00
|
|
|
// NewValidator initializes a new updatable validator and performs an initial update (aka. initialization).
|
|
|
|
|
func NewValidator(log *logger.Logger, variant variant.Variant, fileHandler file.Handler, cachedCerts cachedCerts) (*Updatable, error) {
|
2022-05-23 05:36:54 -04:00
|
|
|
u := &Updatable{
|
2023-03-14 06:46:27 -04:00
|
|
|
log: log,
|
|
|
|
|
fileHandler: fileHandler,
|
|
|
|
|
variant: variant,
|
2023-09-29 08:29:50 -04:00
|
|
|
cachedCerts: cachedCerts,
|
2022-05-23 05:36:54 -04:00
|
|
|
}
|
2023-09-29 08:29:50 -04:00
|
|
|
err := u.Update()
|
2022-05-23 05:36:54 -04:00
|
|
|
|
2023-09-29 08:29:50 -04:00
|
|
|
return u, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type cachedCerts interface {
|
|
|
|
|
SevSnpCerts() (ask *x509.Certificate, ark *x509.Certificate)
|
2022-05-23 05:36:54 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Validate calls the validators Validate method, and prevents any updates during the call.
|
2023-03-29 03:06:10 -04:00
|
|
|
func (u *Updatable) Validate(ctx context.Context, attDoc []byte, nonce []byte) ([]byte, error) {
|
2022-05-23 05:36:54 -04:00
|
|
|
u.mux.Lock()
|
|
|
|
|
defer u.mux.Unlock()
|
2023-03-29 03:06:10 -04:00
|
|
|
return u.Validator.Validate(ctx, attDoc, nonce)
|
2022-05-23 05:36:54 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// OID returns the validators Object Identifier.
|
|
|
|
|
func (u *Updatable) OID() asn1.ObjectIdentifier {
|
2022-11-24 09:50:59 -05:00
|
|
|
u.mux.Lock()
|
|
|
|
|
defer u.mux.Unlock()
|
2022-05-23 05:36:54 -04:00
|
|
|
return u.Validator.OID()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Update switches out the underlying validator.
|
|
|
|
|
func (u *Updatable) Update() error {
|
|
|
|
|
u.mux.Lock()
|
|
|
|
|
defer u.mux.Unlock()
|
|
|
|
|
|
2022-06-28 10:51:30 -04:00
|
|
|
u.log.Infof("Updating expected measurements")
|
2022-05-23 05:36:54 -04:00
|
|
|
|
2023-05-03 05:11:53 -04:00
|
|
|
data, err := u.fileHandler.Read(filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename))
|
|
|
|
|
if err != nil {
|
2022-05-23 05:36:54 -04:00
|
|
|
return err
|
|
|
|
|
}
|
2023-05-03 05:11:53 -04:00
|
|
|
cfg, err := config.UnmarshalAttestationConfig(data, u.variant)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("unmarshaling config: %w", err)
|
2022-08-29 10:41:09 -04:00
|
|
|
}
|
2023-05-03 05:11:53 -04:00
|
|
|
u.log.Debugf("New expected measurements: %+v", cfg.GetMeasurements())
|
2022-08-29 10:41:09 -04:00
|
|
|
|
2023-09-29 08:29:50 -04:00
|
|
|
cfgWithCerts, err := u.configWithCerts(cfg)
|
2023-03-14 06:46:27 -04:00
|
|
|
if err != nil {
|
2023-09-29 08:29:50 -04:00
|
|
|
return fmt.Errorf("adding cached certificates: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
validator, err := choose.Validator(cfgWithCerts, u.log)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("choosing validator: %w", err)
|
2023-03-14 06:46:27 -04:00
|
|
|
}
|
|
|
|
|
u.Validator = validator
|
2022-05-23 05:36:54 -04:00
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2023-09-29 08:29:50 -04:00
|
|
|
|
|
|
|
|
// addCachedCerts adds the certificates cached by the validator to the attestation config, if applicable.
|
|
|
|
|
func (u *Updatable) configWithCerts(cfg config.AttestationCfg) (config.AttestationCfg, error) {
|
|
|
|
|
switch c := cfg.(type) {
|
|
|
|
|
case *config.AzureSEVSNP:
|
|
|
|
|
ask, err := u.getCachedAskCert()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("getting cached ASK certificate: %w", err)
|
|
|
|
|
}
|
|
|
|
|
c.AMDSigningKey = config.Certificate(ask)
|
|
|
|
|
return c, nil
|
|
|
|
|
}
|
|
|
|
|
// TODO(derpsteb): Add AWS SEV-SNP
|
|
|
|
|
|
|
|
|
|
return cfg, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// getCachedAskCert returns the cached SEV-SNP ASK certificate.
|
|
|
|
|
func (u *Updatable) getCachedAskCert() (x509.Certificate, error) {
|
|
|
|
|
if u.cachedCerts == nil {
|
|
|
|
|
return x509.Certificate{}, fmt.Errorf("no cached certs available")
|
|
|
|
|
}
|
|
|
|
|
ask, _ := u.cachedCerts.SevSnpCerts()
|
|
|
|
|
if ask == nil {
|
|
|
|
|
return x509.Certificate{}, fmt.Errorf("no ASK available")
|
|
|
|
|
}
|
|
|
|
|
return *ask, nil
|
|
|
|
|
}
|
